Impact
If an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker.
This implies the following:
- The attacker can overwrite arbitrary files in any cloud storage that the victim can access.
- If the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export.
Patches
Update to CVAT 2.14.3.
Workarounds
N/A
References
Fix commit: 5d36d10
Impact
If an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker.
This implies the following:
Patches
Update to CVAT 2.14.3.
Workarounds
N/A
References
Fix commit: 5d36d10